Disclaimer: Security is a moving and vast subject. Stay updated! What is secure today could be insecure tomorrow.
Second disclaimer: Sorry for any errors in this post. It's really long, and I'm not a editor.
Links could be broken in the future.
Security has many sub categories, and it all really depends on what the context is. It is probably one of the most complex subjects of today. I will cover a lot of topics in this article, but not all. Security is extremely vast, there is more to it than cryptography.
Security is important, spread the word, participate, share your knowledge(preferably without being rude).
I go over some myths, attack vectors, best practices and resources.
Yep, myth busting time.
Private Internet Access says:
Private Internet Access® VPN Service encrypts your connection and provides you with an anonymous IP to protect your privacy.
Keep your browsing history private. As a Swiss VPN provider, we do not log user activity or share data with third parties. Our anonymous VPN service enables Internet without surveillance.
Imagine VPN as a hack-proof, encrypted tunnel for online traffic to flow. Nobody can see through the tunnel and get their hands on your internet data. NordVPN gives you peace of mind each time you use public Wi-Fi, access personal and work accounts on the road, or want to keep your browsing history to yourself.
Nothing is hack-proof. No one is 100% anonymous. VPNs do not provide anonymity. VPNs see everything your ISP does. The question is, do you trust your VPN provider more than your ISP? VPNs are great for bypassing censorship and preventing ISPs from seeing requests you make through the internet.
It's good practice to use a VPN to encrypt your internet traffic when you're using public WiFi.
But Tari, VPNs mask your IP!
Yes, I know that. But that's not the only factor in obtaining anonymity.
Just because you are using a UNIX-like machine does not make you immune to virus. Generally it's less common for there to be viruses for them, mostly because a lot of viruses are targeting Windows and MacOS users. I am referring to desktop use, not servers.
This does not mean anti-virus programs are a silver-bullet. Don't click on those phishy Facebook messages with "Check out yourself in this YouTube video!". Don't. Click. Random. Links.
Check out ClamAV.
Common sense is important!
Often, many people have many accounts on the internet for many services. Hulu, Netflix, banking, etc.
Banking is sensitive. Some people have bank accounts, with money in them. Why wouldn't a hacker want your money, or your credit card information? Or your Amazon account to buy stuff?
True story, my Mom's Hulu account got attacked by a malicious third-party. And my Dad's email and Amazon account were breached. Yes, this was recent, only a couple/few months ago.
Privacy is a category of security. Cryptography helps maintain your privacy. Conversations between you and your therapist are supposed to be confidential, private, secret.
Cryptography can be used in a way to ensure that secrets stay secret(Or private things stay private).
Let's say you're signing into a service. They log your IP, user agent, device, etc. It's stored in plaintext. NO! They could encrypt it so only you could see the list of authenticated IPs and user agents. They could also hash them, and compare. If they don't match, send information saying that potentially there is a suspicious authentication action going on, and require additional authentication factors for that session trying to sign in.
Privacy is not anonymity!
This section is geared towards developers. There are so many attack vectors. I will only be going over a few.
SQL Injection; XML External Entities; Session Fixation; Weak Session Identifiers; Cross-Site Request Forgery; Cross-Site Scripting; Reflected Cross-Site Scripting; Command Execution; Click Jacking; Directory Traversal; Document-Object-Mapping Based Cross-Site Scripting; File Upload Vulnerabilities; Broken Access Control; Open Redirects; Unencrypted Communications; Data Mismanagement;
XXE/XEE. Read more ...
XML has some security issues. Things like XML External Entities (XXE/XEE) are possible.
XSS. Read more ...
There is more to Cross-Site Scripting (XSS) than simple
alert(1). Much more. It is a complex subject, issues like these are STILL around today. Because there are different parsers for JS, HTML, CSS, that means they parse things differently from each other. And that means it can be hard to push security updates.
This is a parser differential issue, and there are many different ways to attack different browsers.
SQLi. Read more ...
SQL Injection (SQLi) is for the most part solved. It's mostly due to legacy projects. However vulnerabilities still popup, but they are usually spotted and patched quickly.
Make sure to use prepared SQL statements to avoid these issues.
Session fixation. Read more ...
The most common place for session identifiers are usually in cookies. Things like XSS can extract the session identifier IF the flag
http_only is set to
false, well, as far as I know.
If anyone has this, they can be logged into your account.
Make sure only HTTP may access the session identifier cookies. Destroy XSS vulnerabilities.
Weak session identifier. Read more ...
A low entropy/easily guessable session identifier makes it easy for attackers to pose as an authenticated session.
The solution would be to create a CSPRNG 256-bit session identifier. The attacker would have to guess 2256 possibilities, which would just take too long. Hash this session identifier, then store it on the client. Hashing it is important in case there was a issue with the CSPRNG.
Not hashing the session identifier on the server could create issues. If a attacker breaches the server, they could be authenticated as any individual. In this instance, the server administrator is also the attacker, since they have access to session identifiers.
Hash the session identifier with a good algorithm. Preferably SHA2 family/SHA3 family/Blake2b. Yes! Hash it again here.
Cookies are stored on individuals' devices. They have complete control over it. They can edit it, delete it, make cookies, etc. They cannot be trusted.
The solution is to use digital signatures to ensure that cookie values are not tampered with. If the value doesn't match up with the digital signature, report it, make it scream, AND DO NOT USE THE COOKIE VALUE.
Follow along with these best practices, and be sure to suggest these to your family, friends, acquaintances and strangers. This section is geared towards the average user.
You should be using diceware passphrases to protect your password manager, device login, and wherever else a password manager isn't appropriate.
You probably have lots of credentials. Use a password manager to secure your data. There are many of them. Stick with free open-source solutions because developers can verify the security of the applications.
Things like Hardware Security Keys, TOTP authenticator applications, email and SMS OTPs are great for securing your accounts. Use them wherever possible.
NOTE: SMS two-factor authentication is insecure, but it's better than no two-factor authentication.
Make sure you are double checking links, and not trusting random ones at that. Do not click them if they seem suspicious.
Make sure to use anti-virus software on your systems, and a firewall too.
Do note that some(ahem, a lot) of these links are geared towards people who understand technical details about certain subjects. I am being vague for a reason, because the subjects vary.
All these I have personally been using for a while.
- Does my site need HTTPS? Definitely.
- Latacora blog.
- ParagonIE blog.
- Dev.to Duh! You're here.
- Crypto stack exchange.
- Security stack exchange.
- InfoSec HandBook
- Electronic Frontier Foundation.
- Hacker News.
- Crypto Engineering blog.
- Schneier on security.
- Live Overflow site.
Don't be afraid. Share your thoughts and resources below.